WO2022166166A1

WO2022166166A1 - Function verification method and apparatus for security component

Info

Publication number: WO2022166166A1
Application number: PCT/CN2021/113909
Authority: WO
Inventors: 杨利东
Original assignee: 华为技术有限公司
Priority date: 2021-02-03
Filing date: 2021-08-20
Publication date: 2022-08-11
Also published as: CN114928564A

Abstract

The present application relates to the technical field of networks, and provides a function verification method and apparatus for a security component. In the present application, a test packet or a packet stream carrying a test packet as a test sample is provided to a protection device; the test sample as input traffic flows through the security component in the protection device, sequentially; the security component performs a test on the test sample to generate a test result; the test result generated by the security component is compared with an expected result; whether a function of the security component is normal is determined according to the comparison result. The method supports function verification when the protection device has been deployed in an actual network, and thus, the method is suitable for scenarios of frequently upgrading and changing a security component, and facilitates timely discovery of a security component having a function failure in an actual application. Moreover, the method supports automatic execution of a function verification process, thereby avoiding tedious operations of manual testing, and improving test efficiency.

Description

Method and device for functional verification of security components

This application claims the priority of the Chinese Patent Application No. 202110152435.8 filed on February 3, 2021 and titled "Method and Device for Functional Verification of Security Components", the entire contents of which are incorporated herein by reference.

technical field

The present application relates to the field of network technologies, and in particular, to a method and device for functional verification of a security component.

Background technique

In order to improve the security of the local area network, many enterprises have set up protective equipment such as firewalls and security gateways. Protection devices usually integrate many security components, such as fragmentation serialization processing components, session reassembly components, traffic detection components, file restoration components, file detection components, protocol identification components, domain name detection components and many more. The protection device uses a series of security components to detect attacks on packets, so as to block attacks in time when an attack is discovered, thereby ensuring the network security of the local area network.

At present, the functional testing process of the protective equipment before it leaves the factory is relied on to ensure the function of the safety components in the protective equipment. For example, testers who mainly rely on the protective equipment manufacturer test the functions of the security components included in the protective equipment, and the testers judge whether the functions of the security components are normal according to the test results.

However, the above methods can only ensure that the protective equipment functions normally when it leaves the factory. During the use process after the protective equipment is deployed to the live network, the security components in the protective equipment are frequently upgraded and changed. During the change process, the function of the security components may fail. Testers perform functional tests on security components, resulting in failure to find security components with functional failures in time. It can be seen that the above method is not effective for functional verification of security components.

SUMMARY OF THE INVENTION

The embodiments of the present application provide a method and device for functional verification of security components, which can improve the effect of functional verification of security components. The technical solution is as follows.

In a first aspect, a method for functional verification of a security component is provided, the method comprising: providing a protection device with a test sample, where the test sample includes at least one of a test packet or a packet stream carrying a test file; The test result generated by the safety component in the protective device testing the test sample; compare the test result with the expected result corresponding to the test sample; if the test result is consistent with the expected result, determine the test result. The security components described above are functioning properly.

The above method provides the test packet or the packet stream carrying the test file as a test sample to the protection device, and the test sample flows through the security component in the protection device as input traffic in turn, and the security component tests the test sample and generates a detection result. , compare the detection result generated by the security component with the expected result, and determine whether the security component functions normally according to the comparison result. This method supports functional verification when the protection device has been deployed in the actual network, so it is suitable for scenarios where security components are frequently upgraded and changed, and is helpful for timely discovery of security components that fail in practical applications. At the same time, the method supports the automatic execution of the functional verification process, avoids the tedious operation of manual testing, and improves the testing efficiency. Therefore, the method improves the effect of functional verification of the security component.

Optionally, the test sample includes a first test sample, and before providing the test sample to the protective device, the method further includes: receiving a download request from the protective device, where the download request includes the protective device The first test sample is obtained by querying the sample library according to the device identification, and the first test sample is the test sample corresponding to the device identification in the sample library, and the sample library includes at least one set of Correspondence between equipment identification and test samples.

The above method helps to provide test samples more matching with the specific functions of the device, facilitates targeted verification with different test samples on different devices, and helps function verification to be more refined and flexible.

Optionally, after comparing the detection result with the expected result corresponding to the test sample, the method further includes: generating a function verification result according to whether the detection result is consistent with the expected result, the The function verification result is used to indicate whether the function of the safety component is normal.

Optionally, the method further includes: in response to a registration request including an administrator account and a device identification of the protective device, saving a correspondence between the device identification and the administrator account in an account information table; The corresponding relationship between the function verification result and the device identifier is stored in the result information table; in response to the query request including the administrator account, the account information table and the result are queried according to the administrator account information table, thereby obtaining the function verification result corresponding to the device identification, and providing the function verification result corresponding to the device identification to the initiator of the query request.

On the one hand, the above methods provide administrators with information channels to help administrators understand whether the functions of various components of the protective equipment are normal. Information, visitors who do not hold an administrator account cannot obtain information on whether the components of the protective equipment are functioning properly, improving information security.

Optionally, after generating the function verification result, the method further includes: if the function verification result indicates that the function of the security component is abnormal, upgrading the security component; or, if the function verification result indicates that the function of the security component is abnormal, upgrading the security component; Indicates that the function of the security component is abnormal, and sends a notification message, where the notification message is used to notify the administrator of the protection device or the protection device of the function verification result.

In the event that the function of the security component is found to be abnormal, by automatically upgrading the security component, or proactively notifying the administrator or protective equipment of the abnormality of the component, it is helpful for the component failure to be handled in a closed-loop, and the failure can be automatically corrected.

Optionally, the providing the test sample to the protective device includes: encrypting the test sample, and sending the encrypted test sample to the protective device.

The above method helps to avoid functional verification failure due to interception of test samples.

Optionally, the method is performed by a server deployed in the Internet, and the protection device is deployed in a local area network, wherein the local area network is configured with an access control policy, and the access control policy is used to prohibit the protection in the local area network. The device receives data from the Internet, and the providing the test sample to the protective device includes: sending the test sample to the protective device in the local area network; the method further includes: if the test sample is successful It is transmitted to the protection device, and it is determined that there is a loophole in the protection of the local area network.

The above methods can evaluate the network security of the local area network, and support attack demonstration or network security defense evaluation scenarios.

Optionally, the detection result includes an attack type, a protocol type, a virus type, a malicious domain name, a malicious Internet protocol (IP) address, or an indicator of no attack.

The above method supports the testing of various components such as intrusion prevention system (IPS) components, protocol identification components, file detection components, domain name detection components, and IP address detection components, making the testing functions more comprehensive and diverse.

In a second aspect, a function verification device for a security component is provided, and the function verification device for a security component has the function of implementing the method described in the above-mentioned first aspect or any optional manner of the above-mentioned first aspect. The functions can be implemented by hardware, and can also be implemented by hardware executing corresponding software. The hardware or software includes one or more units corresponding to the above functions.

In a third aspect, a test server is provided. The test server includes a memory, a network interface, and at least one processor, and the test server is configured to implement the functions of the first aspect or any optional manner of the first aspect.

In a fourth aspect, a network system is provided, and the network system includes the test server and the protection device provided in the third aspect.

A fifth aspect provides a computer-readable storage medium, where at least one instruction is stored in the storage medium, and when the instruction is executed on a computer, causes the computer to execute the above-mentioned first aspect or any optional manner of the first aspect. provided method.

In a sixth aspect, a computer program product is provided, the computer program product includes one or more computer program instructions, when the computer program instructions are loaded and executed by a computer, cause the computer to execute the first aspect or the first aspect. A method provided by any of the alternatives on the one hand.

In a seventh aspect, a chip is provided, including a memory and a processor, the memory is used for storing computer instructions, and the processor is used for calling and running the computer instructions from the memory to execute the above-mentioned first aspect and any possible possible aspects of the first aspect. method in the implementation.

Description of drawings

1 is a schematic diagram of an application scenario provided by an embodiment of the present application;

2 is a flowchart of a method for functional verification of a security component provided by an embodiment of the present application;

3 is a schematic diagram of the content of a PCAP file provided by an embodiment of the present application;

4 is a schematic diagram of the content of another PCAP file provided by an embodiment of the present application;

5 is a schematic diagram of the content of another PCAP file provided by an embodiment of the present application;

6 is a schematic diagram of another application scenario provided by an embodiment of the present application;

7 is a flowchart of another method for functional verification of a security component provided by an embodiment of the present application;

8 is a flowchart of another method for functional verification of a security component provided by an embodiment of the present application;

9 is a flowchart of another method for functional verification of a security component provided by an embodiment of the present application;

10 is a schematic structural diagram of a test server provided by an embodiment of the present application;

FIG. 11 is a schematic structural diagram of an apparatus for functional verification of a security component provided by an embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

The related technology relies on the functional testing process of the protective equipment before it leaves the factory to ensure the function of the safety components in the protective equipment. However, this approach has many flaws. First, there is no guarantee that the detection function of protective equipment that has undergone pre-factory functional testing is deployed in the actual network environment. Second, after the protective equipment fails, it is necessary to manually locate the fault point. Third, the troubleshooting is relatively passive, and the components in the protective equipment are checked after the failure and cannot be predicted in advance.

The embodiment of the present application provides a method for realizing high-efficiency security component function verification based on the linkage between a test server and a protection device. A test sample is delivered to a test sample deployed in an actual network environment, and the test sample flows through the protection device as input traffic in sequence. For each safety component in the device, each safety component detects the test sample to generate the corresponding test result, compares the test result with the expected result, and determines whether the safety component in the protective device functions normally according to the comparison result. First, the method supports the execution of the use process when the protection device is deployed in the existing network, thereby finally realizing all-weather guarantee for the security components of the existing network device. Second, the method can be automatically executed by the test server, reducing the reliance on manual operations, thereby helping to quickly perform functional testing of security components. The test server can test a large number of protective devices, manage and maintain the test samples and test results in a unified manner, so as to analyze the security of a large number of protective devices in the network from an overall perspective, and find the weak points and loopholes of the protection. Third, by actively initiating a functional verification process for components, it is helpful to sense component functional failures in advance, thereby avoiding network security risks caused by component failures.

The application scenarios of the embodiments of the present application are described below with examples.

FIG. 1 is a schematic diagram of an application scenario provided by an embodiment of the present application. FIG. 1 shows a scenario in which the test server 11 interacts with the protective device 21 , the protective device 22 , the protective device 23 , and the protective device 24 .

The test server 11 is optionally deployed in the Internet (or referred to as an extranet), and the test server 11 is sometimes also referred to as a cloud server. The test server 11 stores test samples, and the test samples include attack packets, packet streams carrying malicious files, and the like. The test server 11 includes a result comparison module. The result comparison module is used to compare the detection result sent by the protective device with the expected result to determine whether the function of the safety component in the protective device is normal.

The protective device 21 , the protective device 22 , the protective device 23 , and the protective device 24 are respectively deployed in the local area networks of different customers. As shown in FIG. 1 , the protection device 21 is deployed at the boundary of the local area network of customer one, the protection device 22 is deployed at the boundary of the local area network of customer two, the protection device 23 is deployed at the boundary of the local area network of customer three, and the protection device 24 is deployed at the boundary of the local area network of customer N. boundary. A specific description is given below by taking a protective device 24 in FIG. 1 as an example. For the principles of other protective devices in FIG. 1 , reference may be made to the protective device 24 .

The protective device 24 is used to protect Client N's local area network. As shown in FIG. 1 , the local area network of the client N includes devices such as clients, servers, and switches, and these devices are the devices to be protected by the protection device 24 . The protection device 24 is specifically used to protect these devices in the local area network from attacks initiated by attackers from the Internet, or to protect these devices in the local area network from being exploited by attackers to spread threats.

The protection device 24 includes but is not limited to firewalls, security gateways (such as routers or switches), intrusion detection system (intrusion detection system, IDS) type devices, intrusion prevention system (intrusion prevention system, IPS) type devices, unified threat management (unified threat management) management, UTM) equipment, anti-virus (anti-virus, AV) equipment, anti-distributed denial-of-service attack (distributed denial-of-service attack, DDoS) (anti-DDoS) equipment, next generation firewall (next generation firewall, NGFW) ) of one or more of .

Guard 24 includes a number of safety components. As shown in FIG. 1 , the security components in the protection device 24 include, but are not limited to, a fragmentation serialization processing component, a session reassembly component, a traffic detection component, a file detection component, a protocol identification component, a file restoration component, a domain name detection component, and a blacklist. component, whitelist component, or reputation detection component, etc. It should be noted that FIG. 1 is only an exemplary illustration, and the protective equipment may include some of the components shown in FIG. 1 , or include more components. The protection device 24 performs security detection on the packet flow in and out of the local area network through multiple security components, thereby confirming whether the packets in the packet flow are attack packets and whether the files carried in the packet flow are malicious files. The plurality of security components in the protective device 24 can optionally be in a serial-processed relationship or a parallel-processed relationship. The function of each safety component in the protective device 24 is described below.

The fragment serialization processing component is used to reorder and reassemble Internet Protocol (IP) fragments, and discard overlapping, incomplete or otherwise invalid fragments.

The session reassembly component is used to arrange the individual packets in order. Wherein, for the transmission control protocol (transmission control protocol, TCP), the session reorganization component is specifically used to reorganize each TCP message in the TCP flow into a complete TCP session after sorting. Optionally, the packets processed by the session reassembly component are obtained after being processed by the fragment serialization processing component.

The traffic detection component is used to match the data in the packet with the attack signature in the signature library (attack signature matching). If the data in the packet matches the attack signature, the packet is determined to be offensive. Attack signatures are used to describe the characteristics of network intrusion behaviors. The signature library contains signatures of various known attack behaviors or signatures customized by administrators.

The file detection module is used to match the data in the file with the attack signature in the signature database, and if the data in the file matches the attack signature in the signature database, the file is determined to be a malicious file. Attack signatures are used to describe the characteristics of malicious files such as viruses and Trojans. The signature library contains the signatures of various known malicious files.

The protocol identification component is used to identify the protocol on which the message is based. In some embodiments, the protocol identification component is specifically configured to identify the application layer protocol on which the message is based, such as hypertext transfer protocol (hyper text transfer protocol, HTTP), file transfer protocol (file transfer protocol, FTP), Simple mail transfer protocol (simple mail transfer protocol, SMTP) and so on.

The file restore component is used to obtain files from messages. Specifically, after the protocol identification component identifies the application layer protocol, the file restoration module performs application layer protocol analysis on one or more packets based on the application layer protocol, and reorganizes the payload field of the analysis result to obtain the file.

The blacklist component is used to detect whether the source address of the packet matches the blacklist. If the source address of the packet matches the blacklist, the packet is discarded and the subsequent detection process is not continued.

The whitelist component is used to detect whether the source address of the packet matches the whitelist. If the source address of the packet matches the whitelist, the packet will be released instead of continuing the further detection process.

The domain name detection component is used to detect the domain name of the originator of the packet or the domain name contained in the file.

The reputation detection component is used to detect the content contained in the message, such as URLs or files. The reputation comes from the alarm hash (hash) generated by the historical detection content. By comparing the hash of the new file with the hash in the reputation, it can achieve high Efficient content detection, no need to scan and detect the content again.

The method flow of the embodiment of the present application is illustrated below with an example.

FIG. 2 is a flowchart of a method for functional verification of a security component provided by an embodiment of the present application. The method shown in FIG. 2 includes the following steps S201 to S207.

Optionally, the network deployment scenario on which the method shown in FIG. 2 is based is shown in FIG. 1 . For example, referring to FIG. 1, the protective device in the method shown in FIG. 2 is the protective device 24 in FIG. 1, the test server in the method shown in FIG. 2 is the test server 11 in FIG. The security components tested by the method shown in FIG. 2 are the fragmentation serialization processing component, session reorganization component, traffic detection component, file detection component, protocol identification component, file restoration component, domain name detection component, At least one of an IP address detection component, a blacklist component, a whitelist component, or a reputation detection component.

The method shown in FIG. 2 takes the test server and the protection equipment as an example to describe the process. The protection equipment is mainly responsible for testing the test samples, and performing steps S202, S203 and S204 in FIG. The expected results are compared to determine whether the security component works normally, and steps S201, S205, S206 and S207 in FIG. 2 are performed. When the test server and the protection device are combined, step S201, step S202, step S203, step S204, step S205, step S206 and step S207 are all performed by the device integrated with the test server and the protection device. For example, when the test server is integrated on the guard, the following steps performed by the test server are actually executed by the guard.

Step S201, the test server provides a test sample to the protective device.

Test samples are used to test the proper functioning of safety components in protective equipment. The test sample includes at least one of a test packet or a packet stream carrying a test file. Test packets include but are not limited to attack packets or normal packets.

Attack packets refer to packets that initiate network attacks through packets. For example, the attack packets are flood attack packets, buffer overflow attack packets, and single-packet attack packets (eg, malformed packets, scan attack packets, etc.). The normal message is, for example, a service message from a client.

Test files include but are not limited to malicious files or normal files. The malicious file used as the test file is, for example, an executable file. After the malicious file is executed on the client, it will cause an attack on the client. Malicious files contain malicious code. For example, malicious files are files that contain viruses, Trojans, or worms.

In some embodiments, the test sample is at least one packet capture (PCAP) file. A PCAP file is a file generated after capturing network traffic through an interface. The content of the PCAP file contains the message flow. Specifically, the data structure of the PCAP file is similar to the file header, the data packet 1, the data packet 2...the data packet n, and the data packet 1, the data packet 2...the data packet n is the packet flow in the PCAP file. Optionally, the message flow in the PCAP file serving as the test sample carries a file, and the file carried by the message flow in the PCAP file is a test file. Alternatively, the content carried by the message stream in the PCAP file serving as the test sample is other data other than the file, such as web pages, multimedia data, and the like.

The content of the PCAP file serving as the test sample is illustrated below. Please refer to Fig. 3, Fig. 4 and Fig. 5. Fig. 3, Fig. 4 and Fig. 5 show the contents of three PCAP files.

FIG. 3 shows the content of a powershell script attack (powershell attack) message. The underlined part in FIG. 3 represents the content of the request message, and the ununderlined part in FIG. 3 represents the content of the response message. The bold font in Figure 3 represents the content of the malicious file vercheck.ps1. The meaning of get/vercheck.ps1HTTP/1.1 and host:185.128.41.90:44 in Figure 3 is that the client requests the file vercheck.ps1 from the server with IP address 185.128.41.90:44 based on the HTTP 1.1 protocol and using the get method. . In Figure 3, HTTP/1.1 200 ok indicates that the server responded successfully.

FIG. 4 shows the content of the mining login attack message. The meaning of the data in Figure 4 is the four interactive processes of the mining login attack. Among them, the first step is for the client to send a mining login request; the second step is for the server to return the mining work content; the third step is for the client to send a heartbeat request to the server; the fourth step is for the server to confirm the client’s heartbeat ask.

FIG. 5 shows the content of the message carrying the mining virus. The underlined part in FIG. 5 represents the content of the request message, and the ununderlined part in FIG. 5 represents the content of the response message. The bold font in FIG. 5 indicates the content of the file cohernece.txt. The meaning of get/w/cohernece.txt HTTP/1.1host:185.128.41.90:443 in Figure 5 is that the client uses the get method based on the HTTP1.1 protocol to request the server whose IP address is 185.128.41.90:443 to obtain the file cohernece .txt. In Figure 5, HTTP/1.1 200 ok indicates that the server responded successfully. The file cohernece.txt is a malicious file containing a coin miner virus.

By using the PCAP file as a sample for verifying the functions of the protection device components, it is convenient for the protection device to obtain multiple test packets in batches, and it is also convenient for the test server to separately provide test packets of different attack types to the protection device.

The specific implementation manners for the test server to provide the test sample include but are not limited to the following implementation manners 1 to 2.

Implementation mode 1: The test server sends the test sample to the protective device.

In some embodiments, the protective device pulls the test samples from the test server. Specifically, the protective device sends a sample acquisition request to the test server. The test server sends a test sample to the protective device in response to the sample acquisition request from the protective device. Optionally, the sample acquisition request is triggered by a command input by the administrator to the protective device; alternatively, the sample acquisition request is triggered every set time period.

In other embodiments, the test server actively pushes the test samples to the protective device. For example, the test server regularly pushes test samples. Alternatively, whenever a new test sample appears, the test server pushes the new test sample to the protective device.

Implementation Mode 2: The test server stores the test sample in a designated storage address accessible by the protective device.

The designated storage address is, for example, a storage directory on a file transfer server. File transfer servers include but are not limited to HTTP servers, FTP servers, Secure File Transfer Protocol (SSH File Transfer Protocol or Secure FTP, SFTP) servers, Network File System (Network File System, NFS) servers, and the like.

In the case of the second implementation, the file transfer server acts as a relay between the test server and the protective device, and the file transfer server is responsible for sending test samples to the protective device. Optionally, the test server and the file transfer server provide test samples through linkage. Specifically, after the test server saves the test sample to the file transfer server, the test server sends a transfer instruction to the file transfer server. The meaning of the transfer instruction is to instruct the file transfer server to send a test sample to the protective device. The file transfer server sends the test sample to the protective device in response to the transfer instruction from the test server.

Step S202, the protective device receives the test sample from the test server.

For example, referring to the scenario shown in FIG. 1 , the protective device 24 pulls the test sample from the test server 11 .

Step S203, the protection device detects the test sample through the security component, and generates a detection result.

The content of the test results includes a variety of situations. Optionally, the detection result is used to indicate whether there is an attack on the test sample. For example, the detection result is an indicator of an attack or an indicator of no attack. Or, optionally, the detection result is attack-related information in the test sample. For example, the detection results include attack type, protocol type, virus type, malicious domain name or malicious IP address.

The attack type is the type of the attack that exists in the test sample. The attack type is the detection result of the IPS component in the protection device. The IPS component includes the above-mentioned fragmentation serialization processing component, session reorganization component, traffic detection component, protocol identification component and domain name detection component.

The protocol type is the type of protocol based on which the attack is launched. The protocol type is the detection result of the above protocol identification component.

Virus type is the type of virus in the test file. The virus type is the detection result of the above-mentioned file detection component.

The malicious domain name is the domain name in the attack packet serving as the test packet. The malicious domain name is the detection result of the above domain name detection component.

The malicious IP address is the source IP address of the attack packet serving as the test sample, or the IP address contained in the malicious file serving as the test file. The malicious IP address is the detection result of the above IP address detection component.

The no-attack indicator is used to indicate that no attack is present in the test sample. The indicator of no attack is the detection result of the IPS component or the file detection component in the protection device.

For example, see Table 1 below, the test samples are the 3 attack PCAPs shown in Table 1. Attacking PCAP is an offensive PCAP file, and the content of attacking PCAP includes attacking packet flow.

Table 1

In Table 1, the attack PCAP numbered 1 is 001.PCAP, 001.PCAP includes mining login attack packets, and 001.PCAP passes through each security component in the protection device, and the detection result generated by the IPS component is mining login attack ( Mining login attack, a type of attack), the detection result generated by the protocol identification component is Jsonrpc/Stratum (a protocol type), the detection result of the file detection component is none, and the detection result of the domain name or IP component is ss.antpool. com (a malicious domain name).

The attack PCAP numbered 2 is 002.PCAP, 002.PCAP includes packets of powershell script attack, 002.PCAP passes through each security component in the protection device, and the detection result generated by the IPS component is powershell attack (powershell script attack, a type of powershell attack). attack type), the detection result generated by the protocol identification component is HTTP (a protocol type), the detection result of the file detection component is none, and the detection result of the domain name or IP component is evail.com (a malicious domain name).

Attack PCAP number 3 is 003.PCAP. 003.PCAP includes a packet stream carrying the file coherence.txt. coherence.txt is the file containing the coin miner virus. After coherence.txt passes through each security component in the protection device, the detection result generated by the IPS component is none, the detection result generated by the protocol identification component is HTTP (a protocol type), and the detection result of the file detection component is coin miner virus, domain name or The detection result of the IP component is 185.128.41.90 (a malicious IP address).

Optionally, each safety component in the protective device processes the test samples serially. For example, firstly, the security component 1 detects the test sample, and the security component 1 sends the detected test sample to the security component 2; then the security component 2 detects the test sample detected by the security component 1. Or, optionally, each safety component in the protective device processes the test sample in parallel, for example, the safety component 1 and the safety component 2 detect the test sample at the same time.

Step S204, the protection device sends the detection result to the test server.

For example, referring to the scenario shown in FIG. 1 , the protective device 24 uploads the detection result to the test server 11 .

Step S205, the test server obtains the detection result of the protective device.

Optionally, the above detection result is the content of a detection log (also referred to as a check log). The detection log is the log generated by the security component detecting the test sample. The detection log includes at least the detection results shown in Table 1. Optionally, the detection log further includes detection time, identification of the security component, and the like. The implementation manner of the above step S204 is that the protection device sends a detection log including the detection result. The implementation manner of the above step S205 is that the test server receives the detection log from the protection device, and the test server obtains the detection result from the detection log.

Step S206, the test server compares the detection result with the expected result corresponding to the test sample.

The expected result indicates the detection result of a test sample performed by a functioning security component. For example, when the test sample includes attack packets or packet flows carrying malicious files, the expected result corresponding to the test sample indicates that the test sample has an attack. For example, the expected result includes attack type, protocol type, virus type, malicious domain name or Malicious IP address. For another example, in the case where the test sample includes normal packets or packet streams carrying normal files, the expected result corresponding to the test sample indicates that there is no attack in the test sample (or the test sample is normal). For example, expected results include indicators of no attack, protocol type, normal domain name, or normal IP address.

In some embodiments, the test server pre-stores the above expected results. For example, the test server maintains a library of expected results, which includes correspondence between test samples and expected results. The test server obtains the above-mentioned expected result by querying the expected result database according to the test sample.

Optionally, the expected results are manually annotated by an administrator.

Step S207, if the detection result is consistent with the expected result, the test server determines that the function of the security component is normal.

For example, in the case where the test sample includes an attack packet or a packet flow carrying a malicious file, if the detection result includes an indicator of no attack, the test server determines that the function of the security component is abnormal. For another example, in the case where the test sample includes normal packets or packet flows carrying normal files, if the detection result includes an attack type, the test server determines that the function of the security component is abnormal.

Also optionally, if the detection result is inconsistent with the expected result, the test server determines that the security component is not functioning properly.

In the method provided in this embodiment, test packets or packet streams carrying test files are provided to the protection device as test samples, and the test samples are used as input traffic to flow through the security components in the protection device in turn, and the security components process the test samples. After the test, a test result is generated, the test result generated by the security component is compared with the expected result, and whether the security component is functioning normally is determined according to the comparison result. This method supports functional verification when the protection device has been deployed in the actual network, so it is suitable for scenarios where security components are frequently upgraded and changed, and is helpful for timely discovery of security components that fail in practical applications. At the same time, the method supports the automatic execution of the functional verification process, avoids the tedious operation of manual testing, and improves the testing efficiency. Therefore, the method improves the effect of functional verification of the security component.

Step S201 in the method shown in FIG. 2 will be further described below. For details, see steps S2011 to S2014 below. The following steps S2011 to S2014 are described by taking the provided test sample as the first test sample as an example.

Step S2011, the protection device generates a download request, and sends the download request to the test server.

The download request is used to request the download of test samples from the test server. The download request includes the device ID of the guard and the address of the test server. The download request is, for example, a request based on a file transfer protocol. For example, the download request is an HTTP request or an FTP request.

Equipment identification is used to identify protective equipment. Optionally, the device identifier in this embodiment is an electronic serial number (electronic serial number, ESN). ESN is data used to uniquely identify a device, also known as the electronic label of the device itself, for example, ESN 1020608946. Since the ESN is a unique ID, the device type can be determined according to the ESN, which is more convenient for subsequent processing. Alternatively, the device identification is an IP address or a MAC address. In some embodiments, the device identification is pre-stored in the protective device.

The address of the test server is, for example, the IP address or domain name of the test server. In some embodiments, the address of the test server is entered into the guard by an administrator. For example, the configuration manual of the protective device contains the address of the test server, and the administrator configures the address given in the manual into the protective device. In other embodiments, before the protective device leaves the factory, the manufacturer will save the address of the test server in the configuration file of the protective device in advance. After the protective device is deployed in the actual network and powered on, it will automatically read the test server from the configuration file. When the set conditions are met, a download request is sent to the test server. The setting conditions include, but are not limited to, after the initialization is completed, or after working in the actual network for more than a predetermined period of time. In other embodiments, the manufacturer will send the address of the test server together with the component update package to the protection devices that have been deployed in the actual network, so that the address of the test server can be updated.

In an exemplary embodiment, the download request is an HTTP request, the address of the test server is sec.huawei.com, the device identifier is the ESN of the protection device, the specific value of the ESN is 1020608946, and the test sample is an attack PCAP document. The protection device sends a download request containing the following content to pull the attack PCAP file from the test server in HTTP download mode.

GET/PCAP? esn=1020608946HTTP/1.1

host:sec.huawei.com

Step S2012, the test server receives the download request from the protection device.

Step S2013 , the test server obtains a first test sample by querying the sample library according to the device identifier carried in the download request.

The first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes at least one set of correspondences between the device identifier and the test sample.

Step S2014, the test server sends the first test sample to the protective device.

For example, the above device identifier is ESN, the above test sample is an attack PCAP file, and a one-to-one correspondence between the ESN and the attack PCAP file is stored in the sample library. The test server obtains the ESN carried in the download request, and queries the sample library according to the ESN carried in the download request to obtain the attack PCAP file corresponding to the ESN, and the test server returns the attack PCAP file corresponding to the ESN to the protection device.

Optionally, the sample library includes correspondences between device identifiers of different types of protective equipment and different types of test samples, so that the test server uses the sample library to provide different types of test samples for different types of protective equipment. For example, the sample library includes the correspondence between the device ID of the firewall and the Server Message Block (SMB) brute force attack PCAP, the device ID of the situational awareness device and the command and control (C&C) remote control attack Correspondence between PCAP, device identification of IPS device and Structured Query Language (SQL) injection attack PCAP. After the test server receives the download request from the firewall, it queries the SMB brute force attack PCAP from the sample library according to the device identification of the firewall in the download request, and provides the SMB brute force attack PCAP to the firewall; the test server receives the SMB brute force attack PCAP; After the download request of the device, according to the device identification of the situational awareness device in the download request, the C&C remote control attack PCAP is queried from the sample library, and the C&C remote control attack PCAP is provided to the situational awareness device.

Considering that the functions required to be verified by different devices may be different, the test server provides test samples through the above steps S2011 to S2014, which helps to provide test samples that better match the specific functions of the device, and is convenient for different devices. Targeted verification of test samples is helpful for finer and more flexible functional verification.

In some embodiments, after the test server performs step S206 in the method shown in FIG. 2, the test server generates a function verification result according to whether the detection result is consistent with the expected result, and saves the generated function verification result, so as to pass the interactive function verification later The result gives whether the function is normal.

The functional verification result is used to indicate whether the function of the safety component is normal. For example, the functional verification result includes the first indicator or the second indicator. If the function verification result includes the first indicator, it indicates that the function of the safety component is normal; if the function verification result includes the second indicator, it indicates that the function of the safety component is abnormal. Optionally, the function verification result further includes the identifier of the security component, so as to indicate the specific security component corresponding to the result.

The following is an example of how to use the above-mentioned functional verification results, see the following cases 1 to 3 for details.

Situation 1. Provide the function verification result to the registrant of the administrator account.

Case one includes the following steps A to D.

Step A: In response to the registration request, the test server saves the correspondence between the device identifier and the administrator account in the account information table.

The registration request is used to request the registration of an administrator account. The registration request contains the administrator account and the device ID of the protective device. The registration request is triggered by the registration action of the administrator of the protective device.

The account information table is used to save the information related to the administrator account. The account information table includes at least one set of correspondences between device identifiers and administrator accounts. After the test server receives the registration request, the test server obtains the device identification and the administrator account from the registration request, and stores the obtained device identification and the administrator account in the account information table correspondingly.

In some embodiments, the registration request also includes a password. The test server obtains the password from the registration request, and stores the correspondence between the administrator account and the password in the account information table.

Exemplarily, the administrator registers a unique administrator account according to the ESN of the protective device, and fills in three fields during registration: ESN, username (username) and password (password), thereby triggering the above registration request. The content of the ESN field is the device ID, the content of the username field is the administrator account, and the content of the password field is the password.

Optionally, step A is performed before step S201 in the method shown in FIG. 2 .

Step B: The test server saves the corresponding relationship between the function verification result and the device identification in the result information table.

The result information table is used to save the information related to the functional verification result. The result information table includes at least one set of correspondences between device identifiers and function verification results.

Optionally, when the protective device performs step S202 in FIG. 2 , on the basis of sending the detection result to the test server, the device identifier of the protective device is also sent to the test server. For example, the protection device encapsulates the detection result and the device ID in the same packet and sends it to the test server. When the test server performs step S203 in FIG. 2 , on the basis of receiving the detection result from the protective device, it also receives the device identification from the protective device. When the test server executes this step B, the corresponding relationship between the device identification and the function verification result sent by the protective device together with the detection result is saved in the result information table.

Step C: In response to the query request, the test server queries the account information table and the result information table according to the administrator account, so as to obtain the function verification result corresponding to the device identification.

The query request is used to query the functional verification results of the security components in the protective device. The query request contains the administrator account.

Optionally, after the test server obtains the administrator account from the query request, the test server first queries the account information table according to the administrator account, so as to obtain the device identification corresponding to the administrator account; after that, the test server queries the result information table according to the device identification, thereby Obtain the function verification result corresponding to the device ID.

Step D: The test server provides the function verification result corresponding to the device identification to the initiator of the query request.

Optionally, the initiator of the query request is an administrator or a third party.

Optionally, in a scenario where there are multiple protection devices, the account information table stores the correspondence between one administrator account and the device identifiers of multiple protection devices. The test server queries the account information table and the result information table according to the administrator account, so as to obtain multiple functional verification results corresponding to multiple device IDs, and provide multiple functional verification results to the initiator of the query request, so that the administrator can view each item in batches. condition of protective equipment.

In some embodiments, before providing the function verification result, the test server determines whether the administrator account is in the logged-in state, provides the function verification result if the administrator account is in the logged-in state, and rejects the administrator account in the unlogged state Provides functional verification results. One way to log in with the administrator account is that the administrator triggers a login request, and the login request includes the administrator account and password. The test server receives the login request, queries the account information table according to the administrator account in the login request, and obtains the password corresponding to the administrator account. If the password in the login request is the same as the one obtained from the account information table, it is determined that the password is correct and the login request is approved. If the password in the login request is different from the password queried from the account information table, it is determined that the password is incorrect and the login request is rejected.

Through the methods provided in the above steps A to D, on the one hand, an information channel is provided for the administrator to help the administrator understand whether the functions of each component of the protective device are normal; It is possible to obtain information on whether the function of the protective equipment components is normal. Visitors who do not hold an administrator account cannot obtain information on whether the functions of the protective equipment components are normal, which improves information security.

Scenario 2: Trigger the component upgrade according to the functional verification result.

In some embodiments, if the function verification result indicates that the function of the security component is abnormal, the test server or the protective device upgrades the security component. For example, the test server sends an upgrade instruction to the protection device, and the upgrade instruction carries the resources required to upgrade the security component, such as a patch file or an installation package of the latest version. The protective device executes the upgrade instructions to upgrade the safety components.

Situation 3. Notification according to the result of functional verification.

In some embodiments, the test server sends a notification message if the functional verification result indicates that the security component is not functioning properly. The notification message is used to inform the administrator of the protective device or the functional verification result of the protective device. For example, when the destination of the notification message is an administrator, the test server sends a notification message to the administrator through email, SMS, etc., so as to notify the administrator that the security component is not functioning properly, so that the administrator can deal with the failure on the security component. For another example, when the destination of the notification message is a protective device, the test server sends a notification message to notify the protective device that the security component is not functioning properly, so that the protective device can upgrade the security component to automatically correct the fault.

In some embodiments, step S201 in the method shown in FIG. 2 is implemented by means of encrypted downloading. Specifically, the test server encrypts the test sample to obtain the encrypted test sample. The test server sends encrypted test samples to the guard. The protection device receives the encrypted test sample from the test server, the protection device decrypts the encrypted test sample, obtains the test sample in plaintext, and detects the test sample in plaintext.

Optionally, the encrypted download test sample is implemented based on HTTPS. Specifically, the specific process of the above step S201 includes: the protection device negotiates with the test server to establish an HTTPS connection when it needs to obtain the test sample, and the protection device generates a hypertext transmission security protocol (hypertext transmission security protocol). transfer protocol secure, HTTPS) request, send an HTTPS request to the test server through an HTTPS connection. The test server receives HTTPS requests from the protection device and generates HTTPS responses. HTTPS responses include encrypted test samples. The test server sends an HTTPS response to the guard over an HTTPS connection. The protection device receives the HTTPS response from the test server, and obtains the encrypted test sample from the HTTPS response.

Optionally, use the same key for test server encryption and guard decryption. Or optionally, the test server encrypts the test sample by using the public key of the protection device, and the protection device decrypts the encrypted test sample by using the private key of the protection device.

By adopting the encrypted download method, it helps to avoid the interception of test samples and the failure of functional verification. Specifically, multiple protection devices may be deployed in the local area network. When the test sample is an attack packet or a packet stream carrying malicious files, if the test sample is transmitted in plaintext, the test sample may be deployed at the location to be tested. The security device in front of the protective device intercepted, resulting in the failure to transmit to the protective device to be tested, and thus unable to continue the subsequent functional verification process. By encrypting the test sample, the test sample is transmitted in the form of ciphertext, which can reduce the probability of the test sample being intercepted by the security device at the front deployment position, and improve the transmission success rate of the test sample.

In some embodiments, the network security of the local area network is assessed using the method shown in FIG. 2 . Specifically, in the method shown in FIG. 2 , the protection device is deployed in a local area network, and in the method shown in FIG. 2 , the test server is deployed in the Internet. The local area network is configured with an access control policy, and the access control policy is used to prohibit the protection equipment in the local area network from receiving data from the Internet. For example, an access control policy includes matching conditions and actions. The source address of the matching condition in the access control policy includes the IP address or network segment of the Internet, and the action in the access control policy includes prohibition.

After the test server in the Internet sends the test sample to the protection device in the local area network, if the test sample is successfully transmitted to the protection device, the test server in the Internet determines that there is a loophole in the protection of the local area network. One possible way of determining that the test sample was successfully transmitted to the protective device is that if the protective device successfully receives the test sample from the test server in the Internet, the protective device generates a confirmation message and sends the confirmation message to the test server in the Internet. After the test server in the Internet sends the test sample, if a confirmation message from the protective device is received within a certain period of time, it is determined that the test sample has been successfully transmitted to the protective device.

Through the above method, in actual network use, not only can the detection function of the protection device be normal, but also whether the local area network is safely deployed, for example, see FIG. 6 , the protection device is the firewall in FIG. 6 . As shown in FIG. 6 , the firewall acts as a client for detecting the protection loopholes in the local area network. The firewall is placed inside the local area network, and multiple switches are deployed in front of the firewall. If the test sample enters the LAN from the Internet and reaches the firewall after passing through multiple switches, it is determined that there is a loophole in the network protection of the LAN. This usage mode supports attack demonstration or network security defense evaluation scenarios, which is of high value.

The method shown in FIG. 2 is described below with reference to an example.

Example 1

As shown in FIG. 7, Example 1 includes the following steps 1 to 5. The test sample in Figure 2 is the attack PCAP in Figure 7. The protection device in FIG. 2 is the firewall deployed in the customer N local area network in FIG. 7 . The test server in FIG. 2 is the test server deployed in the Internet in FIG. 7 .

1. The firewall is connected to the customer's N local area network to ensure network connectivity. It can fully provide the forwarding function and can connect to the Internet at the same time. The firewall administrator registers an account in the cloud (test server in the Internet), and sets the option to connect to the test server to enable the pull attack PCAP operation.

In addition, the firewall administrator configures the firewall security policy (each security component), and upgrades the detection library of each component (in actual use, due to the long sales and deployment time, the firewall component detection library lags behind the latest detection library, the latest detection library is daily In order to ensure the detection ability and effect, it is necessary to ensure that the component detection function is up-to-date).

The firewall administrator logs in to the Internet server address (the address is given by the product manual). After the firewall administrator completes the registration, the detection function is enabled on the firewall. After the detection function is enabled, the firewall actively connects to the address of the Internet server, and the firewall pulls the attacking PCAP file from the Internet server.

2. The firewall uses the attacking PCAP pulled from the test server as the input of the detection function, and each security component cooperates with each other in the detection process to detect the attacking PCAP.

3. Each security component processes the network traffic in the attacking PCAP and generates corresponding detection results.

In actual deployment, users download files from the Internet, the traffic carrying the files passes through the firewall, and the final files are transferred to the user's device. During this process, the downloaded file goes through the various security components in its entirety. The process of pulling the firewall to the corresponding attack PCAP is consistent with the actual deployment. Attack PCAP is processed in the firewall in the form of packet flow. During the processing, after each security component detects the packet flow, each security component generates corresponding detection logs after processing the attack PCAP.

4. The firewall uploads the detection results corresponding to each component to the test server in the Internet.

After the firewall generates detection results, the firewall will actively upload the detection results to the Internet server. When uploading the detection result, the device ID of the firewall, such as ESN, will be carried.

5. The test server compares the detection result uploaded by the firewall with the expected result, so as to determine whether the function of the security component is normal. If the security component does not function properly, the test server notifies the administrator to deal with the corresponding failure or automatically correct the failure.

In addition, the test server also associates the acquired detection log with the account created by the firewall administrator in the above step 1 according to the device identification.

In addition, after the test server completes the functional verification, it synchronizes the functional verification results to the firewall. If the firewall determines that a certain component is not functioning properly according to the function verification result returned by the test server, the firewall will actively upgrade the corresponding component or notify the administrator to deal with it, so as to eliminate the fault. Among them, synchronization includes two ways. The first synchronization method is that after the firewall uploads the detection log, the test server in the Internet directly returns the function verification result. The second is that after the firewall uploads the detection log, it actively sends requests to the test server in the Internet at intervals to obtain the function verification results in batches.

The above embodiment is based on the cloud-firewall architecture, and realizes efficient verification and evaluation of the functions of firewall security components. Compared with related technologies, the use effect and use cost will be greatly improved. Tested in actual data, 100% of the security components can be realized. Functional verification and evaluation can detect component functional failures in advance, so as to avoid security risks in the customer LAN due to component failures.

Alternatively, the deployment location of the test server in FIG. 7 is changed from being deployed in the Internet to being deployed in a local area network. As shown in FIG. 8 , a common server or a third-party device is placed in the local area network as a test server to provide test services, and this method can also achieve the desired goal.

The functionality of the test server in Figure 7 can also be placed inside the protective device. As shown in FIG. 9 , the test service is placed in the firewall (a kind of protective device), and the firewall calls the internal test service to test the security components, thereby providing the function verification service.

The following is an example of the basic hardware structure of the test server.

FIG. 10 is a schematic structural diagram of a test server provided by an embodiment of the present application. The test server 600 shown in FIG. 10 is used to implement the methods performed by the test server in the above-mentioned various embodiments.

Optionally, referring to FIG. 1 , the test server 600 shown in FIG. 10 is the test server 11 in FIG. 1 .

Optionally, with reference to FIG. 2 , the test server 600 shown in FIG. 10 is the test server in the method shown in FIG. 2 .

Test server 600 includes at least one processor 601 , memory 602 and at least one network interface 603 .

The processor 601 is, for example, a general-purpose central processing unit (central processing unit, CPU), a network processor (network processor, NP), a graphics processing unit (graphics processing unit, GPU), a neural-network processing unit (neural-network processing units, NPU) ), a data processing unit (DPU), a microprocessor or one or more integrated circuits for implementing the solution of the present application. For example, the processor 601 includes an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The PLD is, for example, a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.

The memory 602 is, for example, a read-only memory (ROM) or other types of static storage devices that can store static information and instructions, or a random access memory (RAM) or a memory device that can store information and instructions. Other types of dynamic storage devices, such as electrically erasable programmable read-only memory (EEPROM), compact disc read-only memory (CD-ROM) or other optical disk storage, optical disks storage (including compact discs, laser discs, compact discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media, or other magnetic storage devices, or capable of carrying or storing desired program code in the form of instructions or data structures and capable of Any other medium accessed by a computer without limitation. Optionally, memory 602 exists independently and is connected to processor 601 through internal connection 604. Alternatively, the memory 602 and the processor 601 are optionally integrated.

Network interface 603 uses any transceiver-like device for communicating with other devices or communication networks. The network interface 603 includes, for example, at least one of a wired network interface or a wireless network interface. The wired network interface is, for example, an Ethernet interface. The Ethernet interface is, for example, an optical interface, an electrical interface or a combination thereof. The wireless network interface is, for example, a wireless local area network (wireless local area network, WLAN) interface, a cellular network interface, or a combination thereof.

In some embodiments, processor 601 includes one or more CPUs, such as CPU0 and CPU1 shown in FIG. 10 .

In some embodiments, test server 600 optionally includes multiple processors, such as processor 601 and processor 605 shown in FIG. 10 . Each of these processors is, for example, a single-core processor (single-CPU), or a multi-core processor (multi-CPU). A processor herein optionally refers to one or more devices, circuits, and/or processing cores for processing data (eg, computer program instructions).

In some embodiments, the test server 600 also includes an internal connection 604 . The processor 601 , the memory 602 and at least one network interface 603 are connected by an internal connection 604 . Internal connections 604 include pathways that transfer information between the aforementioned components. Optionally, the internal connection 604 is a single board or bus. Optionally, the internal connection 604 is divided into an address bus, a data bus, a control bus, and the like.

In some embodiments, the test server 600 also includes an input-output interface 606 . Input output interface 606 is connected to internal connection 604 .

In some embodiments, the input and output interface 606 is used to connect with an input device, and receive commands or data input by a user through the input device related to the above embodiments, such as expected results corresponding to test samples, administrator accounts, and addresses of test servers. Input devices include, but are not limited to, keyboards, touch screens, microphones, mice, or sensing devices.

In some embodiments, the input-output interface 606 is also used to interface with output devices. The input and output interface 606 outputs the intermediate result and/or the final result, such as the function verification result, generated by the processor 301 executing the method shown in FIG. 2 above through the output device. Output devices include, but are not limited to, displays, printers, projectors, and the like.

Optionally, the processor 601 implements the methods in the foregoing embodiments by reading program codes 610 stored in the memory 602, or the processor 601 implements the methods in the foregoing embodiments by using internally stored program codes. When the processor 601 implements the method in the above embodiment by reading the program code 610 stored in the memory 602, the memory 602 stores the program code for implementing the function verification method provided by the embodiment of the present application.

The memory 602 is used to store the program code 610; the processor 601 is used to read the program code 610 stored in the memory 602, and perform the following operations: instruct the network interface 603 to provide a test sample to the protective device, and the test sample includes a test message or bearer At least one item in the message flow of the test file; obtain the test result generated by the security component in the protection device detecting the test sample through the network interface 603; compare the test result with the expected result corresponding to the test sample; The expected results are consistent, confirming that the security components are functioning properly.

Optionally, the memory 602 is also used for storing the sample library. After the processor 601 is further configured to read the program code 610 stored in the memory 602, the following operations are performed: receiving a download request from the protection device through the network interface 603, where the download request includes the device identification of the protection device; 602 Query the stored sample library to obtain the first test sample.

Optionally, the processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: generate a function verification result according to whether the detection result is consistent with the expected result, and the function verification result is used to indicate the safety component's Is the function normal.

Optionally, the memory 602 is further configured to store the account information table and the result information table. The processor 601 is further configured to, after reading the program code 610 stored in the memory 602, perform the following operations: in response to the registration request received by the network interface 603 including the administrator account and the device identification of the protective device, the account stored in the memory 602 The correspondence between the device identification and the administrator account is preserved in the information table; the corresponding relationship between the function verification result and the device identification is preserved in the result information table stored in the memory 602; For the query request, query the account information table and the result information table in the storage 602 according to the administrator account, thereby obtaining the function verification result corresponding to the device identification, and instructing the network interface 603 to provide the function verification result corresponding to the device identification to the initiator of the query request.

Optionally, the processor 601 is further configured to perform the following operations after reading the program code 610 stored in the memory 602: if the function verification result indicates that the function of the security component is abnormal, upgrade the security component; If the result indicates that the function of the security component is abnormal, a notification message is sent through the network interface 603, and the notification message is used to inform the administrator of the protective device or the function verification result of the protective device.

Optionally, the processor 601 is further configured to perform the following operations after reading the program code 610 stored in the memory 602 : encrypt the test sample, and send the encrypted test sample to the protection device through the network interface 603 .

Optionally, the test server 600 is a server deployed in the Internet, and the protective equipment is deployed in a local area network, wherein the local area network is configured with an access control policy, and the access control policy is used to prohibit the protective equipment in the local area network from receiving data from the Internet, and processing. The processor 601 is configured to send the test sample to the protection device in the local area network through the network interface 603; the processor 601 is further configured to read the program code 610 stored in the memory 602, and perform the following operations: if the test sample is successfully transmitted to the protection device equipment to determine that there are loopholes in the protection of the local area network.

For more details of implementing the above functions by the processor 601, please refer to the descriptions in the foregoing method embodiments, which will not be repeated here.

FIG. 11 is a schematic structural diagram of a function verification device for a security component provided by an embodiment of the present application. The apparatus 700 shown in FIG. 11 implements, for example, the function of the test server in the method shown in FIG. 2 .

Referring to FIG. 11 , the apparatus 700 includes a providing unit 701 , an obtaining unit 702 and a processing unit 703 . Each unit in the apparatus 700 is implemented in whole or in part by software, hardware, firmware or any combination thereof. The providing unit 701 is used to support the apparatus 700 to perform S201 in the method shown in FIG. 2 . The obtaining unit 702 is configured to support the apparatus 700 to perform S205 in the method shown in FIG. 2 . The processing unit 703 is configured to support the apparatus 700 to execute S206 and S207 in the method shown in FIG. 2 .

Optionally, the apparatus 700 further includes a receiving unit and a querying unit, and the receiving unit is configured to support the apparatus 700 to perform step S2012. The query unit is used to support the apparatus 700 to perform step S2013.

Optionally, the processing unit 703 is further configured to support the apparatus 700 to generate a function verification result.

Optionally, the apparatus 700 further includes a storage unit and a query unit, and the storage unit is configured to support the apparatus 700 to store the correspondence between the device identifier and the administrator account in the account information table. The query unit is used to support the apparatus 700 to query the account information table and the result information table according to the administrator account, so as to obtain the function verification result corresponding to the device identification.

Optionally, the processing unit 703 is further configured to support the apparatus 700 to upgrade the security components.

Optionally, the apparatus 700 further includes a sending unit, where the sending unit is configured to support the apparatus 700 to send a notification message.

Optionally, the processing unit 703 is further configured to support the apparatus 700 to encrypt the test sample. A unit 701 is provided for supporting the apparatus 700 to send the encrypted test sample to the protective device.

The apparatus embodiment described in FIG. 11 is only illustrative. For example, the division of the above-mentioned units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined or may be Integration into another system, or some features can be ignored, or not implemented. Each functional unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist physically alone, or two or more units may be integrated into one unit. The above-mentioned units in FIG. 11 may be implemented in the form of hardware, or may be implemented in the form of software functional units. For example, when implemented in software, the above-mentioned processing unit 703 and the query unit may be implemented by software functional units generated after the processor 601 in FIG. 10 reads the program code stored in the memory 602 . The above units in FIG. 11 can also be implemented by different hardware in the device shown in FIG. 10, for example, the processing unit 703 is implemented by a part of the processing resources in the processor 601 in FIG. 10 (for example, a core in a multi-core processor or two cores), and the query unit is implemented by the rest of the processing resources (such as other cores in the multi-core processor) in the processor 601 in FIG. ), or programmable devices such as coprocessors. The providing unit 701 , the obtaining unit 702 and the sending unit are realized by the network interface 603 in FIG. 10 . Obviously, the above functional units can also be implemented by a combination of software and hardware. For example, the query unit is implemented by a hardware programmable device, and the processing unit 703 is a software functional unit generated after the CPU reads the program code stored in the memory.

The various embodiments in this specification are described in a progressive manner, and the same and similar parts between the various embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. Among them, A refers to B, which means that A is the same as B or A is a simple deformation of B.

The above-described embodiments may be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented in software, it can be implemented in whole or in part in the form of a computer program product. A computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions described in accordance with the embodiments of the present application are generated in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable device. Computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website site, computer, server, or data center over a wire (e.g. coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.) to another website site, computer, server, or data center. A computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, or the like that includes an integration of one or more available media. Useful media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVDs), or semiconductor media (eg, solid state disks (SSDs)), and the like.

Above, the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the above-mentioned embodiments, those of ordinary skill in the art should understand that: it can still be used for the above-mentioned implementations The technical solutions described in the examples are modified, or some technical features thereof are equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the scope of the technical solutions of the embodiments of the present application.

Claims

A method for functional verification of a security component, characterized in that the method comprises:

providing a test sample to the protective device, the test sample including at least one of a test message or a message stream carrying a test file;

Obtain the detection result generated by the detection of the test sample by the safety component in the protective device;

Compare the detection result with the expected result corresponding to the test sample;

If the detection result is consistent with the expected result, it is determined that the function of the safety component is normal.
The method of claim 1, wherein the test sample comprises a first test sample, and before the providing the test sample to the protective device, the method further comprises:

receiving a download request from the protective device, the download request including the device identification of the protective device;

The first test sample is obtained by querying a sample library according to the device identifier, the first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes at least one set of device identifiers and test samples. Correspondence between samples.
The method according to claim 1, wherein after comparing the detection result with the expected result corresponding to the test sample, the method further comprises:

According to whether the detection result is consistent with the expected result, a function verification result is generated, and the function verification result is used to indicate whether the function of the security component is normal.
The method according to claim 3, wherein the method further comprises:

In response to the registration request including the administrator account and the device identification of the protective device, the corresponding relationship between the device identification and the administrator account is saved in the account information table;

Save the corresponding relationship between the functional verification result and the device identification in the result information table;

In response to the query request including the administrator account, query the account information table and the result information table according to the administrator account, so as to obtain the function verification result corresponding to the device identification, and initiate the query request. The party provides the function verification result corresponding to the device identification.
The method according to claim 3, wherein after generating the function verification result, the method further comprises:

If the function verification result indicates that the function of the security component is abnormal, upgrade the security component; or,

If the function verification result indicates that the function of the security component is abnormal, a notification message is sent, where the notification message is used to inform the administrator of the protection device or the protection device of the function verification result.
The method of claim 1, wherein the providing a test sample to the protective device comprises:

The test sample is encrypted, and the encrypted test sample is sent to the protective device.
The method according to claim 1, wherein the method is executed by a server deployed in the Internet, and the protection device is deployed in a local area network, wherein the local area network is configured with an access control policy, and the access control policy for prohibiting the protective equipment in the local area network from receiving data from the Internet,

The providing the test sample to the protective device includes: sending the test sample to the protective device in the local area network;

The method further includes: if the test sample is successfully transmitted to the protection device, determining that there is a vulnerability in the protection of the local area network.
The method according to claim 1, wherein the detection result includes an attack type, a protocol type, a virus type, a malicious domain name, a malicious IP address, or an indicator of no attack.
A functional verification device for a security component, characterized in that the device comprises:

a providing unit for providing a test sample to the protective device, where the test sample includes at least one of a test message or a message stream carrying a test file;

an acquiring unit, configured to acquire the detection result generated by the security component in the protective device detecting the test sample;

a processing unit for comparing the detection result with the expected result corresponding to the test sample;

The processing unit is further configured to determine that the function of the safety component is normal if the detection result is consistent with the expected result.
The device according to claim 9, wherein the test sample comprises a first test sample, and the device further comprises: a receiving unit and a query unit;

the receiving unit, configured to receive a download request from the protective device, where the download request includes a device identifier of the protective device;

The query unit is configured to query and obtain the first test sample from a sample library according to the device identifier, where the first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes Correspondence between at least one set of device identifiers and test samples.
The device according to claim 9, wherein the processing unit is further configured to generate a function verification result according to whether the detection result is consistent with the expected result, and the function verification result is used to indicate the safety Whether the function of the component is normal.
The device according to claim 11, wherein the device further comprises: a saving unit and a query unit;

The storage unit is configured to, in response to a registration request including an administrator account and a device identification of the protective device, save the correspondence between the device identification and the administrator account in the account information table; in the result information The corresponding relationship between the functional verification result and the device identification is stored in the table;

The query unit is configured to query the account information table and the result information table according to the administrator account in response to a query request including the administrator account, so as to obtain a function verification result corresponding to the device identifier, The function verification result corresponding to the device identification is provided to the initiator of the query request.
The apparatus according to claim 11, wherein the processing unit is further configured to upgrade the security component if the function verification result indicates that the function of the security component is abnormal;

The apparatus further includes: a sending unit, configured to send a notification message if the function verification result indicates that the function of the security component is abnormal, where the notification message is used to notify the administrator of the protective device or the protective device The functional verification result.
The apparatus according to claim 9, wherein the processing unit is configured to encrypt the test sample;

The providing unit is configured to send the encrypted test sample to the protective device.
The device according to claim 9, wherein the device is a server deployed in the Internet, and the protection device is deployed in a local area network, wherein the local area network is configured with an access control policy, and the access control policy uses in order to prohibit the protection equipment in said local area network from receiving data from said Internet,

the providing unit, configured to send the test sample to the protective device in the local area network;

The processing unit is further configured to determine that there is a loophole in the protection of the local area network if the test sample is successfully transmitted to the protection device.
A test server, characterized in that the test server comprises: a memory, a network interface and at least one processor;

the memory is used to store program codes;

The at least one processor is configured to perform the following operations after reading the program code stored in the memory:

instructing the network interface to provide a test sample to the protection device, where the test sample includes at least one of a test packet or a packet stream carrying a test file;

Obtain, through the network interface, a detection result generated by the security component in the protective device detecting the test sample;

comparing the detection result with the expected result corresponding to the test sample;

If the detection result is consistent with the expected result, it is determined that the function of the safety component is normal.
The test server according to claim 16, wherein the test sample comprises a first test sample, and the at least one processor is further configured to perform the following operations after reading the program code stored in the memory:

receiving a download request from the protective device through the network interface, the download request including the device identification of the protective device;

The first test sample is obtained by querying a sample library stored in the memory according to the device identifier, the first test sample is a test sample corresponding to the device identifier in the sample library, and the sample library includes at least one Correspondence between group device IDs and test samples.
The test server according to claim 16, wherein the at least one processor is further configured to perform the following operations after reading the program code stored in the memory:

According to whether the detection result is consistent with the expected result, a function verification result is generated, and the function verification result is used to indicate whether the function of the security component is normal.
The test server according to claim 18, wherein the at least one processor is further configured to perform the following operations after reading the program code stored in the memory:

In response to the registration request including the administrator account and the device identification of the protection device received by the network interface, the corresponding relationship between the device identification and the administrator account is stored in the account information table stored in the memory. ;

Save the correspondence between the functional verification result and the device identification in the result information table stored in the memory;

In response to the query request including the administrator account received by the network interface, query the account information table and the result information table in the memory according to the administrator account, so as to obtain the corresponding device identifier. The function verification result, instructing the network interface to provide the function verification result corresponding to the device identification to the initiator of the query request.
A computer program product, characterized in that the computer program product includes one or more computer program instructions that, when loaded and executed by a computer, cause the computer to execute any one of claims 1 to 8 The functional verification method of the security component described in item.